Bug 757

Summary:

KRB5CCNAME inherited from root's environment under AIX

Product:

Portable OpenSSH

Reporter:

Mike Dopheide <dopheide>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

minor

Keywords:

openbsd, patch

Priority:

Version:

-current

Hardware:

PPC

OS:

AIX

Bug Depends on:

Bug Blocks:

793

Attachments:

Description	Flags
unsets KRB5CCNAME at the beginning of main() in sshd.c	none
Add unsetenv() to openbsd-compat	none
Clear child's environment	none
Clear daemon's environment at startup	none

Description Mike Dopheide 2003-11-12 16:29:19 AEDT

Under AIX, if you restart sshd as root while you have KRB5CCNAME set in root's
environment (typical after 'ksu'ing), the value of KRB5CCNAME will be inherited
by all connecting clients.  The code that causes this inheritance is in
session.c. Darren Tucker on the openssh-unix-dev mailling list thinks this is
due to how AIX's authenticate() function works (seen in auth-passwd.c).

As a result, the correct fix would be to unset KRB5CCNAME from the environment
at the start.  Unfortunately, unsetenv() isn't a standard call on AIX systems. 
I will attach a patch that fixes this problem.

Comment 1 Mike Dopheide 2003-11-12 16:30:44 AEDT

Created attachment 497 [details]
unsets KRB5CCNAME at the beginning of main() in sshd.c

Comment 2 Darren Tucker 2003-11-12 22:43:31 AEDT

Created attachment 498 [details]
Add unsetenv() to openbsd-compat

This bit:  strncmp(*curenv, krbccenv, strlen(krbccenv)) == 0
will match env variables longer than 10 chars where the first 10 are
"KRB5CCNAME".

AIX 5.2, at least, has an unsetenv(), so I think we should use it where
possible, and add one to openbsd-compat for versions that don't have it.

Comment 3 Darren Tucker 2003-12-23 00:44:49 AEDT

Created attachment 517 [details]
Clear child's environment

Please try this patch, which clears the child's entire environment.

Comment 4 Darren Tucker 2003-12-31 16:49:53 AEDT

Created attachment 520 [details]
Clear daemon's environment at startup

The patch in attachment #517 [details] probably won't work as it clear's the wrong
environment.  Please try this patch, which works for me if I manually set
KRB5CCNAME before starting sshd.

Comment 5 Mike Dopheide 2004-01-01 06:08:54 AEDT

Yup, patch #520 works great in my tests.  Are there plans to merge this into the
OpenSSH portable tree?

Comment 6 Damien Miller 2004-01-22 20:39:33 AEDT

Comment on attachment 520 [details]
Clear daemon's environment at startup

>+
>+	/* Clear environment */
>+	environ[0] = NULL;

hm, I think that cygwin may need to preserve some environment vars, 
so this needs to be !HAVE_CYGWIN at least.

Comment 7 Darren Tucker 2004-02-06 16:05:27 AEDT

This has now been fixed, thanks for the report.

 - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent
   accidentally inheriting from root's environment.  ok djm@

Comment 8 Damien Miller 2004-04-14 12:24:20 AEST

Mass change of RESOLVED bugs to CLOSED